CN1400771A - Biostatistically verified VLAN - Google Patents

Biostatistically verified VLAN Download PDF

Info

Publication number
CN1400771A
CN1400771A CN02121536.7A CN02121536A CN1400771A CN 1400771 A CN1400771 A CN 1400771A CN 02121536 A CN02121536 A CN 02121536A CN 1400771 A CN1400771 A CN 1400771A
Authority
CN
China
Prior art keywords
user
biostatistics
identification information
customer identification
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN02121536.7A
Other languages
Chinese (zh)
Other versions
CN100461686C (en
Inventor
桑田政辉
冈村康一郎
大麻刚稔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alcatel CIT SA
Alcatel Lucent SAS
Alcatel Lucent NV
Original Assignee
Alcatel NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel NV filed Critical Alcatel NV
Publication of CN1400771A publication Critical patent/CN1400771A/en
Application granted granted Critical
Publication of CN100461686C publication Critical patent/CN100461686C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4675Dynamic sharing of VLAN information amongst network nodes
    • H04L12/4679Arrangements for the registration or de-registration of VLAN attribute values, e.g. VLAN identifiers, port VLAN membership

Abstract

A user authentication system and method for a data communication network that helps ensure that a user accessing the network resources is indeed the person having a claimed identity. The user's identity is verified by a biometric system by examining the user's physiological or behavioral characteristic. User identification information needed for accessing the network resources is stored in the biometric system and not released until the user's identity is verified. Upon verification of the user's identity, the user identification data is provided to a switching node for determining the VLANs that the user may access.

Description

Biostatistically verified VLAN
The cross reference of related application
This application requires the provisional application No.60/274 of application on March 8 calendar year 2001,113 rights and interests, and its content is in this combined reference.This application also comprises and U.S. Patent No. 6,070, the U. S. application No.09/838 of disclosed theme and April 18 calendar year 2001 application in 243, the relevant theme of disclosed theme among 076 (the lawyer's summary 41625/JEC/XZ), the content of these two is in this all combined reference.
Invention field
The present invention relates generally to and the user-authentication scheme of communication network, and relate more specifically to user according to user-dependent physical characteristic checking VLAN.
Background technology
Virtual Local Area Network is to distinguish the logical sub network of serving based on strategy rather than physical location in cross-over connection LAN.Traditionally, no matter member of vlan's qualification is assigned to terminal system and the user's of these systems identity.For example, by Network and this professional configuration rule group of classification being compared and distributing member of vlan's qualification to the system that one or more VLAN go by deduction this business that starts.
In nearest technology, the identity that sends professional user is considered in assigning process.Under this nearest technology, the user of terminal system is presented the visit to the personification group of VLAN after his or her checking.Usually, the user in terminal station starts the one-time authentication session with switching node, and this terminal station physically is connected on the switching node by emission user's name and password.This terminal station can comprise personal computer, work station or the like.Switching node can comprise switch, router or the like.
The name of this node search subscriber in one or more authentication servers and password are till finding a coupling, and this user is allowed to visit one or more authorized VLAN then.If if do not find coupling or user not to be authorized to during login attempt, then this user is apprised of authentication failed and is rejected visit except that other checking is attempted.
A problem of described proof scheme is: it just verifies or examines an identity that is required, but does not but want to discern a user based on user's characteristic.Therefore, anyone that can visit a valid user name and password can obtain the visit to one or more VLAN, even this user is not that people that he or she claimed.Though can employ prevention a people's password be maintained secrecy, the user may reveal it inadvertently or select one may be easily by password that other people infer.
Therefore, in current techniques, need the user-authentication scheme of a kind of VLAN, according to may the characteristic relevant really discerning a user with the individual.This user-authentication scheme will be utilized existing switching node to come work and not need to revise or rebuild these nodes.
Summary of the invention
According to an embodiment, The present invention be directed to a kind of subscriber authentication system of communication network that comprises first node and be coupled to the Section Point of first node.Section Point receives the biostatistics sampling from individual philtrum, examines individual's identity based on this biostatistics sampling, and discharges the customer identification information relevant with this individual after individual's identity verification.Customer identification information is transmitted to first node, and an indentification protocol that is used to carry out with the 3rd node exchanges.
According to another one embodiment, The present invention be directed to a kind of subscriber authentication system of communication network, this communication network comprises: the addressable main frame of people one by one is used to visit one or more VLAN; Receive a biometric system and a switching node of biostatistics sampling from this philtrum.If this biometric system is sampled based on biostatistics and is examined this personal identification and status that should the individual and be verified then discharge customer identification information.Switching node receives by the customer identification information of biometric system generation and according to customer identification information and allows the one or more VLAN of host access.
In another embodiment, The present invention be directed to a kind of subscriber authentication system of communication network, it comprises: an input is used to receive the biostatistics sampling from the individual; First engine that is coupled to this input is used for sampling according to biostatistics and examines this individual identity; With second engine that is coupled to first engine, if identity that should individuality is examined by first engine then is used to discharge customer identification information.This customer identification information is used to one or more VLANs that definite this individuality is verified.
In another embodiment, The present invention be directed to a kind of user authentication method that is used for communication system.This method comprises the steps; The biostatistics that receives self energy to visit in the individuality of first node is sampled; This biostatistics sampling is compared with the biometric data that stores; The coupling of the biometric data that responds this biostatistics sampling and store discharges customer identification information; The customer identification information that produces and the user data of storage are compared; The coupling of the user data of response customer identification information and storage, a tabulation of the Virtual Local Area Network that retrieval is authorized to; With the VLAN that allows the first node visit to be authorized to.
In another embodiment, The present invention be directed to a kind of user authentication method that is used for communication system.This method comprises the steps: to receive the biostatistics sampling in the individuality of self energy visit first node; Examine this individual identity based on this biostatistics sampling; If be verified, then allow the first node visit to be the selected one or more Virtual Local Area Network of this individuality with identity that should individuality.
Therefore, should be appreciated that, the present invention assisted in ensuring that the user of accesses network resource straight be those people with desired identity.By customer identification information is stored in the node that just just discharges information after user's identity verification, prevented unwarranted information use.
Description of drawings
When thinking deeply about following detailed specification, additional claim and accompanying drawing, these and other features of the present invention, aspect and advantage will be understood more completely, in the accompanying drawing:
Fig. 1 is the schematic block diagram of Biostatistically verified data communication network according to an embodiment of the invention;
Fig. 2 is the block diagram that the biostatistics of Fig. 1 is tested the biometric system in the data communication network;
Fig. 3 is the schematic block diagram of the main frame in the Biostatistically verified data communication network of Fig. 1;
Fig. 4 is the block diagram of the switching node in the Biostatistically verified data communication network of Fig. 1;
Fig. 5 is the schematic block diagram of the webserver in the Biostatistically verified data communication network of Fig. 1;
Fig. 6 is a function diagram of verifying the agency according to an embodiment of the invention;
Fig. 7 is the function diagram of authentication server according to an embodiment of the invention;
Fig. 8 is the function diagram of biostatistics client module according to an embodiment of the invention;
Fig. 9 is a function diagram of verifying client's module according to an embodiment of the invention; With
Figure 10 is the process chart according to Biostatistically verified VLAN of the present invention.
Embodiment
Fig. 1 is the schematic block diagram of Biostatistically verified data communication network according to an embodiment of the invention.This network comprises by the communication link such as USB (USB) and is coupled to a biometric system 10 on the main frame 12.Switching node 14 is coupled on the main frame 12 and the webserver 22.Switching node 14 similarly connects to communicate by letter with the webserver 22 with main frame 12 by public internet, private intranet and/or as known in the art other.
Biometric system 10 preferably includes and is used for receiving from the biostatistics sampling of individuality and examines the circuit and/or the logic of his or she identity according to this sampling.This biostatistics sampling is preferably with being used to examine this individual physiology of his or she identity or the characteristic of action.The sampling of these biostatistics can comprise: fingerprint, sound model, iris and/or amphiblestroid model, hand geometry, signature verification, thump analysis and/or unalterable and other characteristic that can't be transmitted by reality concerning this individuality.
Main frame 12 is a terminal equipment preferably, for example, such as personal computer, work station, server or the like, itself and biometric system 10 and switching node 14 interfaces.Change and hand over preferably gateway device of node 14, for example, be forwarded to the VLAN16,18 that is authorized to, 20 hub, bridger or router such as the packet communication that is used for starting by main frame.The webserver 22 is RADIUS, a LDAP (easy directory access protocol) and/or COPS (public open policy service protocol) server, is used for the user to one or more VLAN16,18,20 checking main frames 12.In another embodiment of the present invention, communication network can comprise a plurality of webservers, its each all with specific VLAN16,18,20 relevant, as U.S. application No09, that further describes in detail in 838,076 is the same.
Main frame 12, switching node 14, the webserver 22 and VLAN16,18,20 can interconnect through cable or other transmission medium, and can support different data communication protocols, such as Ethernet, Internet Protocol and/or ATM(Asynchronous Transfer Mode).
In general, the user of an expectation particular network resource of visit (such as a specific VLAN) offers biometric system 10 to his or her biostatistics sampling.According to one embodiment of present invention, the biostatistics that biometric system 10 emissions are received is sampled to main frame 12, is used to examine this user's identity.In another embodiment of the present invention, this verification process itself is realized by biostatistics equipment.In another one embodiment of the present invention, this verification process occurs in the server (not shown) that separates that a default VLAN connects.
If this user's identity is verified, then biometric system 10 discharges the needed user's of this network of visit identifying information, for example, and such as user name, password, PIN, mark (token) etc.This user knows other information and preferably is transmitted to main frame 12, and it then uses this information and switching node 14 to carry out an indentification protocol exchange, is used for verifying that the user enters into one or more VLAN16,18,20.
Fig. 2 is the block diagram according to biometric system 10 of the present invention.Certainly, should be appreciated that the block diagram of biometric system 10 has been described Fig. 2 and add ons and/or assembly that this system of establishment of no use may need thicken inventive aspect of the present invention.Unshowned these additional element and/or assemblies are well known to a person skilled in the art in Fig. 2.
Biometric system 10 preferably includes input 36, one the identifying information databases 40 in 38, one biometric data storehouses of 34, one identifying information generators of 30, one matching engine and an output 46.Input 30 can be scanner, video camera, phone, microphone, keyboard, a keypad or be used to receive the another one equipment of sampling from user's a biostatistics.
Matching engine 34 and identifying information generator 38 are software, hardware and/or firmware, such as application-specific integrated circuit (ASIC) (ASIC) module, if when being used for examining respectively user's identity and user and being verified then discharge customer identification information.Matching engine 34 the biostatistics sampling that is provided by input 30 is provided and is the match search biometric data storehouse 36 of the biostatistics sampling of input.
Biometric data storehouse 36 preferably includes each user's of biometric system 10 registrations biometric template.Preferably, this biometric template is a mathematical notation of user's biometric data.In another embodiment, this biometric data storehouse 36 can be replaced by portable mark, and for example wise card allows the user to keep the ownership of their biometric data at any time.
Matching engine 34 compares the biometric template in sampling of the biostatistics of an input and the biometric data storehouse 36 and produce a result 42 to the identifying information generator represents whether user's identity is verified.The all or part of of this result preferably further taked the output 46 of the form of monitor, LCD display or other display device to show.In one embodiment of the invention, this result's all or part of main frame 12 that is transmitted to is used for showing thereon.
If user's identity is verified, the customer identification information in the identifying information generator retrieve identification information database 40 then.Identifying information database 40 preferably provides the centralized storage of the registered user's of this system customer identification information.Identifying information database 40 preferably for example such as user name, password, PIN, mark and/or similarly customer identification information be associated with each biometric template in the biometric data storehouse 36.After the biostatistics sampling matching of biometric template and input, the appropriate users identifying information is retrieved.The customer identification information that retrieves is launched into main frame 12 as dateout 44.
Those skilled in the art will recognize that, though import 30, matching engine 34, biometric data storehouse 36, identifying information generator 38, identifying information database 40 and export 46 and be illustrated and be present in the single biometric system 10, any one of these assemblies or any combination may operate in one or more other equipment in the net that ventilates.For example, matching engine 34 and/or identifying information generator 38 may reside in the main frame 12 or are present in the independently background server that is coupled on the default VLAN.
Fig. 3 is the schematic block diagram according to the main frame 12 of the embodiment of the invention.Main frame 12 preferably includes a user interface 50,54 and checkings of a biostatistics client module (client) client module 52.User interface 50 preferably includes input and output, for example such as keyboard, keypad, display screen, mouse, joystick, tracking ball etc.
Biostatistics client's module 54 preferably is used for the software module application program of communicating by letter with biometric system 10.Preferably, biostatistics client module 54 automatically is called after main frame 12 is started by the user.Biostatistics client's module detection of biological statistics system 10 and make this system carry out examining of user identity.Perhaps, biostatistics client module only is called after user's direct action.
If user's identity is verified, verify that then client's module 52 preferably is used to carry out a software module application program (application) of handling with the checking of switching node 14.This software module can take to be installed in the form of a kind of software application on the main frame 12, but also can take the form based on a standard software application program the weblication such as Telnet, XCAP (Xylan client's module verification agreement xylan Client Authentcation Protocol) or.Checking client module 52 preferably is configured with the address of a switching node 14.This address can be MAC layer (MAC) address of an IP address or a reservation.
Fig. 4 is the schematic block diagram according to the switching node 14 of the embodiment of the invention.This switching node 14 preferably includes a management processor module 60, trunk module 62 and the authentication module 64 by 66 interconnection of exchange link.For example preferably use the firmware such as ASIC to realize trunk module and authentication module 62,64.Management processor module 60 preferably is embodied as a software module of moving on the processor of switching node 14.
Management processor module 60 preferably includes a checking and acts on behalf of 60a, is used for receiving from the customer identification information of main frame 12 and to a specific VLLAN verifying this user.Trunk module 62 preferably receives and transmits grouping by a backbone network.Authentication module 64 preferably includes a LAN interface that interconnects main frame 12 and exchange link 66.Authentication module 64 preferably also comprises and is used to the logic of explaining, revise, filtering and transmitting grouping.Authentication module 64 can also be operated and carry out the necessary LAN media translation so that switching node 14 can support to use Different L AN medium to come the main frame of work.
Fig. 5 is the schematic block diagram according to the webserver 22 of the embodiment of the invention.The webserver 22 preferably includes a user interface 70, an authentication server 72 and the user record 74 that software is realized.User interface 70 preferably includes input and output, for example such as keyboard, keypad, display screen, mouse, joystick, tracking ball etc.
User record 74 preferably includes specific user's clauses and subclauses (entry), and specific user's clauses and subclauses comprise the tabulation of customer identification information and the Internet resources that are authorized to.Specific user's clauses and subclauses can also comprise time restriction and/or to other restrictions of this specific user.
Authentication server 72 is acted on behalf of 60a with checking and is communicated with the checking user.Authentication server preferably also disposes address of switching node 14 and the authentication secret that 60a is acted on behalf of in the checking on the node.This address is an IP address preferably.
Though authentication server 72 and user record 74 are displayed on the webserver 22, authentication server 72 and/or user record 74 can be operated in can be by on the another one equipment in the network of network server access.In addition, comprise single authentication server 72 though the webserver 22 is illustrated as, a network of operation can comprise one or more authentication servers according to the present invention.
Fig. 6 is that 100 function diagram is acted on behalf of in a checking of disposing on switching node 14 according to one embodiment of present invention.Checking agency 100 preferably is similar to the software module that 60a is acted on behalf of in the checking that is realized by management processor module 60.Checking agency 100 preferably also disposes an address of switching node 14 and an address of authentication server 72.This configuration address is an IP address preferably.An authentication secret of all right configuration server of checking agency.
Checking agency 100 preferably includes a connection and sets up module 110, and one that is used to set up with authentication server 72 reliably is connected.About this point, connect and to set up module 110 and use the known address of servers to ask and being connected of authentication server 72, and confirm from the server to this type of request responding.Connect and to set up module 110 and also launch and be enough to make information that checking agency 100 and server 72 can verify each other to authentication server 72 neutralizations this information of reception from authentication server 72.Preferably, the exchange by the authentication secret of configuration on checking agency 100 and server 72 realizes mutual checking.
Module 110 is set up in this connection can be encrypted in the information that the information reconciliation code encryption of launching during the process is set up in reliable connection.Considered between checking agency 100 and server 72 flow based on TCP/IP.If a plurality of authentication servers exist, checking agency 100 preferably disposes the address and the authentication secret of each authentication server.Fail if set up with a reliable trial that is connected of particular server, then checking agency 100 can use the known address of another one authentication server to realize that aforesaid process is till one connection is established reliably.
This checking agency 100 preferably also comprises a sign (ID) request module 120.ID request module 120 is used for obtaining identifying information from the checking passenger plane 52 that is operated in main frame 12.The request that ID request module 120 also is used for confirming receiving from checking client module 52 is so that set up a checking session.For example considered to use such as the IP-based stream of the software application of Telnet or XCAP or between checking agency 100 and client's module 52 based on the stream of MAC preferably, this stream uses the checking of disposing on client's module to act on behalf of 100 reservation MAC Address or IP address by checking client module 52 to start.
This checking agency 100 preferably also comprises an ID trunk module 130, is used for a request is transferred to authentication server 72 so that the checking customer identification information.The known address of ID trunk module 130 best related switching nodes 14, with by the user for the identifier of the relevant authentication module 64 of the employed main frame of checking 12 and login identifying information.ID trunk module 130 is preferably launched relevant identifying information and is used for checking to authentication server 72.
Except top, checking agency 100 comprises that is also examined a trunk module 140, is used for transmitting the user state information of receiving from authentication server 72 based on this identifying information.User state information preferably includes a login effectively or login invalid message, and this depends on whether authentication server 72 can successfully verify this identifying information.This is examined trunk module 140 and preferably this user state information is transmitted into main frame 12 and is used to be presented at user interface 50.For example considered between checking agency 100 and client's module 52, to use such as Telnet or XCAP the IP-based stream of software application or based on the stream of MAC.
Checking agency 100 comprises also that preferably a session stops module 150, if a user is used to stop a checking session when being verified failure.Session stops module 150 and is preferably in login failure afterwards to a checking of checking client module 52 emissions session termination messages.Session stops module 150 and also stops and the checking session of verifying client's module 52.
Checking agency 100 also comprises a resource trunk module 160, is used to the checking user of main frame 12 to transmit the link information of receiving that is authorized to from authentication server 72 and is used for storage and uses at switching node 14.The link information that is authorized to can be transmitted into checking agency 100 as user connection information by authentication server 72 in same packet.The link information that is authorized to preferably includes a tabulation of the Internet resources that the user is authorized to.The tabulation of the Internet resources that are authorized to is a tabulation of one or more vlan identifiers preferably.
The link information that is authorized to also can comprise time restriction, this time restriction best definition therebetween the user be authorized to use the time that is authorized to Internet resources, such as the time in that day in the week, one day with allow the time length of visit.Other traditional in this area restriction also can put on this authorized users.Best and corresponding authentication module 64 identifiers of the link information that is authorized to are transmitted to management processor module 60 by checking agency 100 together.Management processor module 60 preferably is associated the known address of the link information that is authorized to the main frame 12 that is verified user's use, and this a pair of being stored in the equipment records.This address is a MAC Address preferably.
Equipment records is preferably in and is used on the switching node 14 so that to receiving from the user and filtering and transmit decision to user's grouping.If main frame 12 is not verified,, preferably is received authentication module 64 by the grouping of main frame emission and loses unless issue checking agency 100.If main frame 12 is verified, then is transmitted to another one and verifies that the branch of main frame is carefully optionally transmitted according to following rule by the checking main frame:
1., then the equipment records on the node is taken measures to share a public VLAN so that examine the source and target main frame if destination address is another host address relevant with switching node 14.If VLAN is shared, then grouping is forwarded to destination host.If VLAN is not shared, then divide into groups to be lost.
2., then the equipment records on the node is taken measures with the retrieval vlan identifier relevant with source host if destination address is not another host address relevant with switching node 14.This vlan identifier preferably is affixed in the grouping and this grouping is launched by trunk module 62.When grouping arrives on the switching node relevant with destination host, the equipment records on the node is taken measures to share a public VLAN so that examine the source and target main frame.If VLAN is shared, then grouping is forwarded to destination host.If VLAN is not shared, then divide into groups to be lost.
Issue in the network and do not continued to be lost by the grouping of probatio inspectionem pecuoarem main frame.Use variety of protocol known in the art can realize the rule of front.Should be appreciated that, in order under aforementioned rule, to transmit and receive grouping, any addressable core, edge or terminal equipment in the network that can require checking not, stand and main frame is treated as the system that has verified.
Checking agency 100 comprises that also an ID stops module 170, is used for main frame 12 is returned to not proofing state from proofing state.This preferably occur in receive from the communication capacity period expires that exit command, be authorized to, checking main frame 12 from the network physics of checking among the user disconnect, checking main frame 12 sends service fails and/or receives from authentication server 72 after the instruction of the network communications capability of cancelling this foundation in a stipulated time length.ID stop module 170 preferably to management processor module 60 pass on one require so that remove the communication capacity data entries that user that communication capacity will be undone is authorized to the address in the slave unit record.One receives a such request, then removes this in the management processor module 60 best slave unit records and is requested clauses and subclauses and verifies that main frame 12 preferably recovers not proofing state.
Connect foundations, ID request, ID relaying, examine relaying, session termination, resource relaying and ID termination module 110-170 software module preferably., one skilled in the art would recognize that these modules can be designed as the combination of hardware, firmware and/or software.Those skilled in the art it should further be appreciated that, but checking agency 100 can comprise other module of unexposed this area routine.
Fig. 7 is the function diagram of authentication server 72 according to an embodiment of the invention.Authentication server 72 comprises a resource authorization module 210, preferably allows specific user's clauses and subclauses (entry) of a network manager input communication net authorized user.Resource approval module 210 preferably provides a text and/or graphical display to user interface 70, and it can operate from accepting specific user's clauses and subclauses.Resource approval module 210 is preferably relevant to being stored in the user record 74 as one each specific user's clauses and subclauses.Each specific user's clauses and subclauses preferably comprises a user identifier and customer identification information, such as, the user cipher that is verified is so that visit VLAN16,18 or 20.Specific user's clauses and subclauses can also comprise for example restricted information such as the time restriction of authorized user.
Resource authorization module 210 allows network manager input particular device clauses and subclauses in addition.For each switching node in the network with checking agency, the particular device clauses and subclauses preferably include the address of switching node 14 and effectively verify agency 100 authentication secret on this nodes.A preferably unique IP address distributing to this switching node, this address.
Authentication server 72 comprises also that preferably a connection sets up module 220.One receives the request from the agency, and this connection is set up module 200 foundation and reliably is connected with one that verifies agency 100.This connection is set up module 220 and is acknowledged receipt of this request and continue this request of response.Connect and to set up module 220 and also transmit and receive and be enough to allow the information of verifying that agency 100 and authentication server 72 are verified each other.Preferably, set up checking by the exchange of authentication secret.Module 220 is set up in connection can also decipher the enciphered message of launching by encrypting messages during process is set up in connection reliably.Considered between checking agency 100 and the server 22 stream based on TCP/IP.
Authentication server 72 preferably also comprises an ID authentication module 230.ID authentication module 230 is used to carry out a checking to be handled, and receives customer identification information by checking agency 100 from the user.One receives the customer identification information from checking agency 100, ID authentication module 230 determine these information whether with user record 74 in the information matches relevant with specific user's clauses and subclauses.If find to mate and other restriction relevant with specific user's clauses and subclauses arranged, then ID authentication module 230 determines according to restricted information whether this user is authorized to visit one or more VLAN.
If this user is authorized to (no matter restriction or without limits), then ID authentication module 230 preferably produces the link information that is verified.About this point, ID authentication module 230 is retrieved the relevant tabulation that is authorized to Internet resources of User Recognition message with coupling from user record 74.The link information that is authorized to can also comprise restriction any time.
ID authentication module 230 also produces user state information.Invalid message is preferably logined effectively or logined to user state information.ID authentication module 230 preferably is transmitted to checking agency 100 to user state information and any time restricted information together.
If ID authentication module 230 is much to seek the coupling of customer identification information in the user record 74, if perhaps the user is not authorized by the time, then the ID authentication module produces and is transmitted to checking agency 100 user state informations, and this information is preferably logined the form of invalid message.
Authentication server 72 preferably also comprises a memory module 240.ID memory module 240 is preferably used in the forwarding user tracking information, is used for by network manager storage and use.Preferably keep this user tracking information for all login attempts of making by prospective users (no matter and success or failure).For each login attempt, user tracking information can comprise any information of learning one or more from following: customer identification information, authorization information, user state information, restricted information etc.
User tracking information can also comprise the time of carrying out login attempt.Time can remain in the authentication server 72 and from this server and obtain.User tracking information can also comprise withdraw from, send/receive packet count, MAC Address of main frame 12 or the like.Authentication server 72 is associated user trace information and this information is stored in (not shown) in the network activation database as clauses and subclauses preferably, and it can or be positioned on the webserver 22 by the webserver 22 visits.The clauses and subclauses of network activation database can be by network manager by user interface 70 visits.
Except top, authentication server 72 preferably also comprises a network monitoring module 250.Network monitoring module 250 is preferably used in and makes network manager can visit and use the user tracking information that is produced by ID memory module 240.That network monitoring module 250 provides a text and/or graphical display is to user interface 70, and it can be operated and show this user tracking information.Network monitoring module 250 also makes network manager produce the user tracking information report of being made up of relevant information according to one or more user tracking information clauses and subclauses.
Resource authorization, connection foundation, ID checking, ID storage and network monitoring module 210-250 be software module preferably., one skilled in the art would recognize that these modules can be designed as the combination of hardware, firmware and/or software.Those skilled in the art it should further be appreciated that, but server 72 can comprise other module of unexposed this area routine.
Fig. 8 is the function diagram that is arranged in biostatistics client's module 54 of main frame 12 according to an embodiment of the invention.Biostatistics client's module 54 preferably includes a biostatistics initialization module 310, checking display module 320 and IC transmitter module 330.These modules are software module preferably., one skilled in the art would recognize that these modules can be designed as the combination of hardware, firmware and/or software.Those skilled in the art it should further be appreciated that, but biostatistics client module 54 can comprise other module of unexposed this area routine.
Biostatistics initialization module 310 is preferably in the Biostatistically verified session that main frame 12 starts request afterwards and foundation and biometric system 10.Perhaps, biostatistics initialization module 310 can be activated by user's a direct action.Biostatistics initialization module 310 is preferably launched a request of setting up Biostatistically verified session by USB to biometric system 10.The 310 best periodic transmission requests of biostatistics initialization module are up to biometric system 10 responses and carry out the checking of user identity.
Checking display module 320 preferably provides this Biostatistically verified process result's text and/or graphical display to user interface 50.Whether such result can indicate this user's identity to be verified.This result also may comprise the score value of match-percentage between biostatistics sampling that indication provides and the biometric template of the storing.
If user's identity is verified, then IC transmitter module 330 preferably receives from the customer identification information in the biostatistics 10.ID transmitter module 330 is preferably launched identifying information and is given checking client module 52, is used for user rs authentication is entered one or more VLAN16,18,20.
Fig. 9 is the function diagram that is arranged in the checking client module 52 of main frame 12 according to an embodiment of the invention.Checking client module 52 preferably includes an ID initialization module 410, a checking display module 420 and an ID and disconnects module 430.These modules are software module preferably., those skilled in the art should admit that these modules can be designed as the combination of hardware, firmware and/or software.Those skilled in the art also should admit, but checking client module 52 can comprise other module of unexposed this area routine.
One receives customer identification information from biostatistics client module 54, a checking session of agency 100 is just asked and set up and verify to IC initialization module 410.ID initialization module 410 preferably uses agency's known address to set up the request of checking session to one of checking agency emission.Checking client module 54 preferably the periodic transmission request till checking agency 100 responses.Considered a stream based on MAC.Perhaps, can use an IP-based stream by for example software application such as Telnet or XCAP.
Checking display module 430 is passed on this login attempt whether success or failure to the user of main frame 12.Checking display module 430 provides a text and/or graphical display to user interface 50, and it can operate the explicit user state information, preferably login efficient message of receiving among the agency of the checking from switching node 14 100 or login invalid message.
ID disconnects module 440 startups and withdraws from process, and by this process, the user who is verified withdraws from this network.ID disconnects module 440 preferably provides a text and/or graphical display to user interface 50, and it can be operated and accept to exit command.ID disconnects module 440 and preferably launch to exit command and act on behalf of 100 to checking, is used to remove the network communications capability of having set up.
Figure 10 is the process chart of Biostatistically verified VLAN according to an embodiment of the invention.This process begins, and in step 500, switching node 14 is initialised.After initialization, it is to attempt to set up with the reliable of authentication server 72 to be connected that checking agency 100 utilizes the known address of server.In case the TCP session is successfully set up, then act on behalf of 100 and server 72 verify each other by the exchange and verification key.
In step 502, the user starts main frame 12, and biostatistics client module 54 is activated.Biostatistics client's module 54 detects the biostatistics 10 that is coupled on the main frame 12, and a request of emitting biological statistics proof procedure in step 504.About this point, user or automatically or in response to a prompting of main frame 12 or biometric system 10 provide a biostatistics to sample to biometric system.Matching engine 34 compares biostatistics sampling and the template that is stored in the biometric data storehouse 36, and exports a result, and this result represents whether this user identity is verified.As determined in step 506, if identity is verified, identifying information generator 38 provides the customer identification information relevant with matching template to biostatistics client module 54 in step 510.
In step 512, biostatistics client's module 54 provides customer identification information to checking client module 52.In step 514, call an authentication procedures based on this customer identification information.About this point, the checking agency 100 who is arranged in switching node 14 is given in checking request of checking client module 52 emissions.The customer identification information that is provided by biostatistics client module 54 is be provided in this request.The checking request is transmitted to agency 100 termly till this proxy response.
Checking agency 100 receives these requests and to the identifier of the address of authentication server 72 these customer identification informations of emission and switching node 14 and the authentication module 64 relevant with main frame 12.Authentication server 72 is searched the specific user's clauses and subclauses with the information of mating with this customer identification information in user record 74.If coupling clauses and subclauses are found, then the restriction of 72 reviews time of authentication server.As determined in step 516, if the user was authorized by the time, then authentication server 72 retrievals are verified the tabulation and the time restriction of Internet resources, and this information and user state information are transmitted to checking client module 52 together.User state information is a login efficient message preferably.
If it is found not mate clauses and subclauses, if perhaps this user is not authorized by the time, then a user state information (preferably to login the form of invalid message) is returned to checking client module 52 in step 520.
Referring to step 506, if based on the biostatistics sampling that is provided, user's identity is not verified again, then determines whether to have carried out the checking trial of maximum number in step 508.If answer is then sampled based on the biostatistics that newly provides for not, biostatistics client's module 52 is preferably called Biostatistically verified process again.
Though described the present invention in some certain embodiments, those skilled in the art can have no difficulty and design the various variations that do not break away from the scope of the invention and spirit.For example, though, those skilled in the art will recognize that any of these task can be combined into a specific modules or become module separately with respect to having described the present invention with the specific software module that specific biostatistics is examined or validation task is relevant.Therefore should be appreciated that except clearly being described, the present invention also can be implemented.Therefore, it is illustrative rather than determinate that the embodiment of the invention all should be considered as in every respect, scope of the present invention by accessory claim and they be equal to rather than above stated specification is represented.

Claims (27)

1. subscriber authentication system that is used for communication network comprises:
A first node; With
Be coupled to a Section Point of first node, it is characterized in that:
Section Point receives from a biostatistics sampling in the individuality, sample based on biostatistics and to examine this individual identity, with after this individual identity verification, discharge the customer identification information relevant with this individuality, this customer identification information is sent to the indentification protocol that first node is used to carry out with the 3rd node and exchanges.
2. subscriber authentication system as claimed in claim 1, its feature also is: the 3rd node allows first node to visit one or more Virtual Local Area Network based on this customer identification information.
3. subscriber authentication system as claimed in claim 2, its feature also is: if the visit of seeking outside the access time of definition, then the 3rd node refusal first node is visited one or more VLAN.
4. subscriber authentication system as claimed in claim 1, wherein, the biostatistics sampling is a physiological property of this individuality.
5. subscriber authentication system as claimed in claim 1, wherein, this customer identification information comprises a user name and password.
6. subscriber authentication system that is used for communication network comprises:
One can be used to visit one or more Virtual Local Area Network by the main frame of the visit of body one by one;
Reception is from the biometric system of this individual biostatistics sampling, examines this individual identity and identity that should individuality and is verified then discharges customer identification information if this biostatistics is sampled based on this biostatistics; With
A switching node receives by the customer identification information of biometric system generation and according to this customer identification information and allows the one or more VLAN of host access.
7. subscriber authentication system as claimed in claim 6, wherein, the biostatistics sampling is a physiological property of this individuality.
8. subscriber authentication system as claimed in claim 6, wherein, this customer identification information comprises a user name and password.
9. subscriber authentication system as claimed in claim 6, also comprise: an authentication server that is coupled to switching node, this authentication server compare the user data of customer identification information and storage and retrieve the tabulation of the VLAN that is authorized to after a coupling is arranged.
10. subscriber authentication system as claimed in claim 6, wherein, if the visit of seeking outside the access time of a definition this main frame be rejected the visit one or more VLAN.
11. a subscriber authentication system that is used for communication network comprises:
An input is used for receiving a biostatistics sampling from individuality;
First engine that is coupled to this input is used for examining this individual identity based on this biostatistics sampling; With
Second engine that is coupled to first engine, if be used for should individuality identity examined by first engine then discharge customer identification information, this customer identification information is used to one or more VLANs of determining that this individuality is authorized to.
12. subscriber authentication system as claimed in claim 11, wherein, first engine compares biostatistics sampling and the biometric data that stores and relatively returns a result based on this.
13. subscriber authentication system as claimed in claim 12 also comprises an output that is used to show this result.
14. subscriber authentication system as claimed in claim 11, wherein, the biostatistics sampling is a physiological property of this individuality.
15. subscriber authentication system as claimed in claim 11, wherein, this customer identification information comprises a user name and password.
16. a user authentication method that is used for communication system, this method comprises the steps:
A biostatistics that receives self energy to visit in the individuality of first node is sampled;
Examine this individual identity based on this biostatistics sampling;
If identity that should individuality is verified, then discharge customer identification information; With
Carry out an indentification protocol exchange, the customer identification information that comprises the emission generation is to Section Point.
17. user authentication method as claimed in claim 16 also comprises the steps: to allow first node to visit one or more Virtual Local Area Network based on this customer identification information.
18. user authentication method as claimed in claim 17 also comprises the steps: if the visit of seeking outside the access time of definition, is then refused first node and visited one or more VLAN.
19. user authentication method as claimed in claim 16, wherein, the biostatistics sampling is a physiological property of this individuality.
20. user authentication method as claimed in claim 16, wherein, this customer identification information comprises a user name and password.
21. a user authentication method that is used for communication system, this method comprises the steps:
A biostatistics that receives self energy to visit in the individuality of first node is sampled;
This biostatistics sampling is compared with the biometric data that stores;
The coupling of the biometric data that responds this biostatistics sampling and store discharges customer identification information;
The customer identification information that produces and the user data of storage are compared;
The coupling of response customer identification information and storage user data, a tabulation of the Virtual Local Area Network that retrieval is authorized to; With
The VLAN that allows this first node visit to be verified.
22. user authentication method as claimed in claim 20, wherein, the biostatistics sampling is a physiological property of this individuality.
23. user authentication method as claimed in claim 20, wherein, this customer identification information comprises a user name and password.
24. user authentication method as claimed in claim 20 also comprises the steps: if the visit of seeking outside the access time of definition, is then refused first node and visited one or more VLAN.
25. a user authentication method that is used for communication system, this method comprises the steps:
A biostatistics that receives self energy to visit in the individuality of first node is sampled;
Examine this individual identity based on this biostatistics sampling; With
If identity that should individuality is verified, allow first node to visit one or more Virtual Local Area Network.
26. user authentication method as claimed in claim 25, wherein, the biostatistics sampling is a physiological property of this individuality.
27. user authentication method as claimed in claim 25 also comprises the steps: if the visit of seeking outside the access time of definition, is then refused first node and visited one or more VLAN.
CNB021215367A 2001-03-08 2002-03-08 Biostatistically verified VLAN Expired - Fee Related CN100461686C (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US27411301P 2001-03-08 2001-03-08
US60/274,113 2001-03-08
US10/011,842 US20020129285A1 (en) 2001-03-08 2001-12-04 Biometric authenticated VLAN
US10/011,842 2001-12-04

Publications (2)

Publication Number Publication Date
CN1400771A true CN1400771A (en) 2003-03-05
CN100461686C CN100461686C (en) 2009-02-11

Family

ID=26682854

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB021215367A Expired - Fee Related CN100461686C (en) 2001-03-08 2002-03-08 Biostatistically verified VLAN

Country Status (4)

Country Link
US (1) US20020129285A1 (en)
EP (1) EP1244273A3 (en)
JP (1) JP4287615B2 (en)
CN (1) CN100461686C (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1610297B (en) * 2003-10-17 2010-12-08 微软公司 Network fingerprinting
CN102932792A (en) * 2012-11-14 2013-02-13 邦讯技术股份有限公司 Method and controller for realizing wireless network cloud

Families Citing this family (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2392229C (en) 1999-11-30 2016-08-30 Transforming Technologies, Inc. Methods, systems, and apparatuses for secure interactions
WO2001042938A1 (en) * 1999-12-10 2001-06-14 Fujitsu Limited Personal authentication system and portable electronic device having personal authentication function using body information
WO2001088677A2 (en) * 2000-05-18 2001-11-22 Stefaan De Schrijver Apparatus and method for secure object access
US7085840B2 (en) * 2001-10-29 2006-08-01 Sun Microsystems, Inc. Enhanced quality of identification in a data communications network
US20030084302A1 (en) * 2001-10-29 2003-05-01 Sun Microsystems, Inc., A Delaware Corporation Portability and privacy with data communications network browsing
US7275260B2 (en) 2001-10-29 2007-09-25 Sun Microsystems, Inc. Enhanced privacy protection in identification in a data communications network
US20030084172A1 (en) * 2001-10-29 2003-05-01 Sun Microsystem, Inc., A Delaware Corporation Identification and privacy in the World Wide Web
US7085860B2 (en) * 2002-01-11 2006-08-01 International Business Machines Corporation Method and apparatus for a non-disruptive recovery of a single partition in a multipartitioned data processing system
US7069444B2 (en) * 2002-01-25 2006-06-27 Brent A. Lowensohn Portable wireless access to computer-based systems
US6993659B2 (en) * 2002-04-23 2006-01-31 Info Data, Inc. Independent biometric identification system
US7249177B1 (en) * 2002-11-27 2007-07-24 Sprint Communications Company L.P. Biometric authentication of a client network connection
CN1751479A (en) * 2002-12-11 2006-03-22 Para3公司 Communication system, communication terminal comprising virtual network switch and portable electronic device comprising organism recognition unit
DE10315526A1 (en) * 2003-04-04 2004-10-28 Siemens Ag Safe switching of operating mode of industrial controller for machine tool or production machine, by transmitting binary enable signal to operating panel after user identification
US7519989B2 (en) * 2003-07-17 2009-04-14 Av Thenex Inc. Token device that generates and displays one-time passwords and that couples to a computer for inputting or receiving data for generating and outputting one-time passwords and other functions
CA2552987C (en) * 2004-03-26 2013-05-28 Bce Inc. Security system and method
US9286457B2 (en) 2004-06-14 2016-03-15 Rodney Beatson Method and system for providing password-free, hardware-rooted, ASIC-based authentication of a human to a mobile device using biometrics with a protected, local template to release trusted credentials to relying parties
US8842887B2 (en) * 2004-06-14 2014-09-23 Rodney Beatson Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device
JP2006115072A (en) * 2004-10-13 2006-04-27 Chuden Cti Co Ltd Vlan authentication device
US9454657B2 (en) * 2004-12-03 2016-09-27 Bce Inc. Security access device and method
US20070140145A1 (en) * 2005-12-21 2007-06-21 Surender Kumar System, method and apparatus for authentication of nodes in an Ad Hoc network
JP5043455B2 (en) * 2006-03-28 2012-10-10 キヤノン株式会社 Image forming apparatus, control method thereof, system, program, and storage medium
US20070245152A1 (en) * 2006-04-13 2007-10-18 Erix Pizano Biometric authentication system for enhancing network security
JP5100172B2 (en) * 2006-05-12 2012-12-19 キヤノン株式会社 Network system, device function restriction method, and computer program
US20070288998A1 (en) * 2006-05-23 2007-12-13 Ganesh Gudigara System and method for biometric authentication
US20080023543A1 (en) * 2006-07-25 2008-01-31 Beisang Arthur A Personal Verification System
US8838989B2 (en) * 2008-01-24 2014-09-16 Blackberry Limited Optimized biometric authentication method and system
US8132019B2 (en) 2008-06-17 2012-03-06 Lenovo (Singapore) Pte. Ltd. Arrangements for interfacing with a user access manager
US9159187B2 (en) * 2010-11-23 2015-10-13 Concierge Holdings, Inc. System and method for verifying user identity in a virtual environment
KR20120072032A (en) * 2010-12-23 2012-07-03 한국전자통신연구원 The system and method for performing mutual authentication of mobile terminal
US20130205377A1 (en) * 2012-02-03 2013-08-08 Yiou-Wen Cheng Methods using biometric characteristics to facilitate access of web services
US9965607B2 (en) 2012-06-29 2018-05-08 Apple Inc. Expedited biometric validation
US9521130B2 (en) 2012-09-25 2016-12-13 Virnetx, Inc. User authenticated encrypted communication link
US8438631B1 (en) 2013-01-24 2013-05-07 Sideband Networks, Inc. Security enclave device to extend a virtual secure processing environment to a client device
JP6127617B2 (en) * 2013-03-15 2017-05-17 株式会社リコー Service providing system, service providing method, and service providing program
US9928355B2 (en) 2013-09-09 2018-03-27 Apple Inc. Background enrollment and authentication of a user
US20150089240A1 (en) * 2013-09-21 2015-03-26 Dmitri Itkis Biometric management system
WO2015174968A1 (en) * 2014-05-13 2015-11-19 Hewlett-Packard Development Company, L.P. Network access control at controller
JP6561501B2 (en) * 2015-03-10 2019-08-21 株式会社リコー Apparatus, authentication system, authentication processing method, authentication processing program, and storage medium
KR20170098105A (en) * 2016-02-19 2017-08-29 삼성전자주식회사 Electronic apparatus having authentication module and method for authenticating user by controlling authentication module
US10003464B1 (en) * 2017-06-07 2018-06-19 Cerebral, Incorporated Biometric identification system and associated methods

Family Cites Families (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4896319A (en) * 1988-03-31 1990-01-23 American Telephone And Telegraph Company, At&T Bell Laboratories Identification and authentication of end user systems for packet communications network services
US4922486A (en) * 1988-03-31 1990-05-01 American Telephone And Telegraph Company User to network interface protocol for packet communications networks
US4962449A (en) * 1988-04-11 1990-10-09 Artie Schlesinger Computer security system having remote location recognition and remote location lock-out
US5414844A (en) * 1990-05-24 1995-05-09 International Business Machines Corporation Method and system for controlling public access to a plurality of data objects within a data processing system
US5191613A (en) * 1990-11-16 1993-03-02 Graziano James M Knowledge based system for document authentication
US5272754A (en) * 1991-03-28 1993-12-21 Secure Computing Corporation Secure computer interface
US5657388A (en) * 1993-05-25 1997-08-12 Security Dynamics Technologies, Inc. Method and apparatus for utilizing a token for resource access
US5249230A (en) * 1991-11-21 1993-09-28 Motorola, Inc. Authentication system
US5276735A (en) * 1992-04-17 1994-01-04 Secure Computing Corporation Data enclave and trusted path system
US5311593A (en) * 1992-05-13 1994-05-10 Chipcom Corporation Security system for a network concentrator
US5469576A (en) * 1993-03-22 1995-11-21 International Business Machines Corporation Front end for file access controller
GB2281645A (en) * 1993-09-03 1995-03-08 Ibm Control of access to a networked system
EP0720796B1 (en) * 1993-09-20 1997-07-16 International Business Machines Corporation System and method for changing the key or password in a secure distributed communications network
US5343529A (en) * 1993-09-28 1994-08-30 Milton Goldfine Transaction authentication using a centrally generated transaction identifier
US5631897A (en) * 1993-10-01 1997-05-20 Nec America, Inc. Apparatus and method for incorporating a large number of destinations over circuit-switched wide area network connections
US5564016A (en) * 1993-12-17 1996-10-08 International Business Machines Corporation Method for controlling access to a computer resource based on a timing policy
US5761309A (en) * 1994-08-30 1998-06-02 Kokusai Denshin Denwa Co., Ltd. Authentication system
US5774525A (en) * 1995-01-23 1998-06-30 International Business Machines Corporation Method and apparatus utilizing dynamic questioning to provide secure access control
JPH08235114A (en) * 1995-02-28 1996-09-13 Hitachi Ltd Server access method and charge information managing method
US5721780A (en) * 1995-05-31 1998-02-24 Lucent Technologies, Inc. User-transparent security method and apparatus for authenticating user terminal access to a network
US5696898A (en) * 1995-06-06 1997-12-09 Lucent Technologies Inc. System and method for database access control
US5774551A (en) * 1995-08-07 1998-06-30 Sun Microsystems, Inc. Pluggable account management interface with unified login and logout and multiple user authentication services
US5721779A (en) * 1995-08-28 1998-02-24 Funk Software, Inc. Apparatus and methods for verifying the identity of a party
US5784566A (en) * 1996-01-11 1998-07-21 Oracle Corporation System and method for negotiating security services and algorithms for communication across a computer network
FR2745136B1 (en) * 1996-02-15 1998-04-10 Thoniel Pascal SECURE IDENTIFICATION METHOD AND DEVICE BETWEEN TWO TERMINALS
US5684951A (en) * 1996-03-20 1997-11-04 Synopsys, Inc. Method and system for user authorization over a multi-user computer system
US6061790A (en) * 1996-11-20 2000-05-09 Starfish Software, Inc. Network computer system with remote user data encipher methodology
US5796942A (en) * 1996-11-21 1998-08-18 Computer Associates International, Inc. Method and apparatus for automated network-wide surveillance and security breach intervention
US5889958A (en) * 1996-12-20 1999-03-30 Livingston Enterprises, Inc. Network access control system and process
US5852714A (en) * 1997-05-21 1998-12-22 Eten Information System Co., Ltd. Real time broadcasting system on an internet
US6070243A (en) * 1997-06-13 2000-05-30 Xylan Corporation Deterministic user authentication service for communication network
US6070240A (en) * 1997-08-27 2000-05-30 Ensure Technologies Incorporated Computer access control
US6038666A (en) * 1997-12-22 2000-03-14 Trw Inc. Remote identity verification technique using a personal identification device
US6618806B1 (en) * 1998-04-01 2003-09-09 Saflink Corporation System and method for authenticating users in a computer network
US7272723B1 (en) * 1999-01-15 2007-09-18 Safenet, Inc. USB-compliant personal key with integral input and output devices
US6829711B1 (en) * 1999-01-26 2004-12-07 International Business Machines Corporation Personal website for electronic commerce on a smart java card with multiple security check points
US6496595B1 (en) * 2000-05-19 2002-12-17 Nextgenid, Ltd. Distributed biometric access control apparatus and method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1610297B (en) * 2003-10-17 2010-12-08 微软公司 Network fingerprinting
CN102932792A (en) * 2012-11-14 2013-02-13 邦讯技术股份有限公司 Method and controller for realizing wireless network cloud
WO2014075375A1 (en) * 2012-11-14 2014-05-22 邦讯技术股份有限公司 Method and controller for implementing wireless network cloud
CN102932792B (en) * 2012-11-14 2016-06-15 邦讯技术股份有限公司 A kind of method realizing wireless network cloud and controller

Also Published As

Publication number Publication date
EP1244273A3 (en) 2005-07-13
US20020129285A1 (en) 2002-09-12
EP1244273A2 (en) 2002-09-25
CN100461686C (en) 2009-02-11
JP2002373153A (en) 2002-12-26
JP4287615B2 (en) 2009-07-01

Similar Documents

Publication Publication Date Title
CN100461686C (en) Biostatistically verified VLAN
CN100591011C (en) Identification method and system
US8627417B2 (en) Login administration method and server
US7870599B2 (en) Multichannel device utilizing a centralized out-of-band authentication system (COBAS)
CN1756156A (en) Be used for coming at access to netwoks the equipment and the method for authenticated user in communication system
US20050076246A1 (en) Method and apparatus for network security using a router based authentication system
US8966263B2 (en) System and method of network equipment remote access authentication in a communications network
CN1787533A (en) Virtual private network connection methods and systems
CN1913474A (en) Method and system for catching connection information of network auxiliary request part
WO2006020329B1 (en) Method and apparatus for determining authentication capabilities
US20090238172A1 (en) Ip phone terminal, server, authenticating apparatus, communication system, communication method, and recording medium
WO2021145555A1 (en) Blockchain-based multinode authentication method and apparatus therefor
KR100763131B1 (en) Access and Registration Method for Public Wireless LAN Service
CN108924122A (en) A kind of network enemy and we recognition methods and system
CN1601954A (en) Moving principals across security boundaries without service interruption
KR102278808B1 (en) System for single packet authentication using tcp packet and method thereof
CN1783780A (en) Method and device for realizing domain authorization and network authority authorization
EP1244265A2 (en) Integrated policy implementation service for communication network
US7631344B2 (en) Distributed authentication framework stack
JP2001186186A (en) Device for exchanging packets, network system and method for exchanging packets
JP3953963B2 (en) Packet communication device with authentication function, network authentication access control server, and distributed authentication access control system
CN1771711B (en) Secure distributed system for management of local community representation within network devices
CN101848228A (en) Method and system for authenticating computer terminal server ISP identity by using SIM cards
CN1798149A (en) Network account information accessing aviso system and method based on mobile communication terminal
JP2004021761A (en) Authentication access control server device, authentication access control method, authentication access control program, and storage medium with the program stored therein

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090211

Termination date: 20160308

CF01 Termination of patent right due to non-payment of annual fee